Web lists-archives.com

Re: [Samba] getent not showing domain users and groups with winbind but works with sssd




On Wed, 3 Oct 2018 15:16:50 +0200
Peter Milesson via samba <samba@xxxxxxxxxxxxxxx> wrote:

> 
> On 10/3/18 1:09 PM, Rowland Penny via samba wrote:
> > On Wed, 3 Oct 2018 12:45:11 +0200
> > Peter Milesson via samba <samba@xxxxxxxxxxxxxxx> wrote:
> >
> >> Hi folks,
> >>
> >> I have finally nailed down the problem with the non-functional
> >> getent command when using winbind on a samba member server (AD
> >> domain).
> >>
> >> The problem was the entry
> >>
> >>      idmap config * : range 3000-9999
> > No, it wasn't
> >
> >> I used the instructions in
> >> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> >> as a template when setting up the server.
> >>
> >> Changing the line idmap config to
> >>
> >>      idmap config * : range = 16777216-33554431
> > I have no idea why doing that worked for you, all you have done is
> > moved the range.
> >
> >> A change of the wiki page would be in order ;-)
> > Sorry, but that isn't going to happen ;-)
> >
> >> The smb.conf below works well against my Samba AD DC.
> > and this is mine that works on my Centos 7 VM:
> >
> > [global]
> >      workgroup = SAMDOM
> >      security = ADS
> >      realm = SAMDOM.EXAMPLE.COM
> >
> >      dedicated keytab file = /etc/krb5.keytab
> >      kerberos method = secrets and keytab
> >      server string = Samba 4 Client %h
> >
> >      winbind use default domain = yes
> >      winbind expand groups = 4
> >      winbind refresh tickets = Yes
> >      winbind offline logon = yes
> >
> >      ## map ids outside of domain to tdb files.
> >      idmap config *:backend = tdb
> >      idmap config *:range = 3000-9999
> >      ## map ids from the domain  the ranges may not overlap !
> >      idmap config SAMDOM : backend = ad
> >      idmap config SAMDOM : schema_mode = rfc2307
> >      idmap config SAMDOM : unix_nss_info = yes
> >      idmap config SAMDOM : range = 10000-999999
> >      template shell = /bin/bash
> >      template homedir = /home/%U
> >
> >      domain master = no
> >      local master = no
> >      preferred master = no
> >      os level = 20
> >      map to guest = bad user
> >      host msdfs = no
> >
> >      # user Administrator workaround, without it you are unable to
> > set privileges username map = /etc/samba/user.map
> >
> >      # For ACL support on domain member
> >      vfs objects = acl_xattr full_audit
> >      map acl inherit = Yes
> >      store dos attributes = Yes
> >
> >      # Share Setting Globally
> >      unix extensions = no
> >      reset on zero vc = yes
> >      veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
> >      hide unreadable = yes
> >
> >      # disable printing completely
> >      load printers = no
> >      printing = bsd
> >      printcap name = /dev/null
> >      disable spoolss = yes
> >
> >      # logging
> >      #log level = 10
> >      log level = 0
> >      map untrusted to domain = yes
> >
> > and this is the result:
> >
> > [root@cen1804 ~]# getent passwd rowland
> > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
> > [root@cen1804 ~]# getent group Domain\ Users
> > domain users:x:10000:rowland,...... long list of users.
> >
> > All I can think of is, you still have sssd installed, I don't.
> > Or something else isn't set up correctly.
> >
> > What do the following commands return:
> >
> > hostname
> > hostname -s
> > hostname -d
> > hostname -f
> > hostname -i
> >
> > What is in /etc/resolv.conf
> > What is in /etc/hosts
> > What is in /etc/krb5.conf
> >
> > Rowland
> >
> Hi Rowland,
> 
> Seems that I forgot to put the IP address of the host in hosts. SSSD
> is not installed. I wiped the previous installation, and installed
> again. I was very careful not to install SSSD. The packages I
> installed were:
> 
> samba samba-common samba-client samba-winbind samba-winbind-clients 
> krb5-workstation authconfig
> 
> When trying to use a Windows computer for administration (Computer 
> management) and connecting to the member server, there is a Windows 
> message that it was not possible to connect (problems with DCOM). 
> However, it's possible to browse the share on the samba member, and 
> create files.
> 
> Still works, after several restarts ;-)
> 
> Best regards,
> 
> Peter
> 
> hostname:    smbtest.samdom.local
> 
> hostname -s: smbtest
> 
> hostname -d:     samdom.local
> 
> hostname -f:    smbtest
> 
> hostname -i:    192.168.6.79

Oh great, the 'hostname' and 'hostname -f' test results are the wrong
way round. Try opening /etc/hostname in an editor and remove the domain
name i.e. I think you will find it is 'smbtest.samdom.local' make it
just 'smbtest'

> hosts
> ====
> 
> 127.0.0.1   localhost localhost.localdomain localhost4 
> localhost4.localdomain4
> ::1         localhost localhost.localdomain localhost6 
> localhost6.localdomain6
> 192.168.6.79 smbtest.samdom.local smbtest
> 

Try making /etc/hosts look like this:

127.0.0.1 localhost
::1       localhost
192.168.6.79 smbtest.samdom.local smbtest

Now run the 'hostname' tests again

Rowland
  


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba